Threat Update: AcidRain Wiper

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

The Splunk Threat Research Team has addressed a new malicious payload named AcidRain. This payload, deployed in the ongoing conflict zone of Eastern Europe, is designed to wipe modem or router devices (CPEs). These devices provide internet connectivity and are usually based on specific architectures such as Microprocessor without Interlocked Pipeline Stages (MIPS), a type of processor architecture prevalent in CPEs which are devices designed to do specific functions unlike computer desktops or servers. This payload has been designed to destroy these types of devices, which are commonly used in commercial and residential infrastructure. 

Targeting MIPS devices also indicates the interest of actors in affecting targets (CPEs) in large amounts to cause massive damage and harm to commercial and residential infrastructure. It is being said that this payload targeted Satellite Modems affecting 5800 Wind Turbines. Targeting CPEs is not new and it's always a factor in very large DDoS campaigns as they usually provide connectivity and can be used in an aggregate manner in order to produce large attacks. The same can be said about destroying them, neutralizing anything dependent on connectivity and affecting related services. Most of these devices are of civilian use in nature and its destruction affects civilian livelihood as well. 

AcidRain is MIPS compile elf binary targeting modem or router devices to destroy or wipe data.

Initial Checking

At first this payload will execute fork() function and if a “dev/null” file exists; if this event check fails, it will either exit or close its execution. Else it will create a process session using setsid() function and duplicate its file descriptor. Below is the code screenshot of how this initial checking was made by AcidRain malware.

Skipping Common Linux Directory

It has a function that will be executed to enumerate and skip some non-standard directory in the compromised host. If the directory it found is not in the list of folder names shown in the screenshot below, that folder path will be passed on to the function that we renamed as recursive_wiper() to be processed.

The recursive_wiper() function will enumerate all the directories and files on the said chosen directory. If during enumeration it found a regular file (DT_REG) or symbolic link (DT_LNK) it will overwrite it with initialized data with size of 0x8000 bytes. If it is another directory, it will traverse all the files on that folder path, wipe it, then delete that directory using rmdir() function.

Admin Checks

Before the admin checking, it will allocate a mem buffer using malloc() function with a size of 0x40000 that will be used to wipe all the files it will find. 

Then It will check if the login user in the compromised host is root or not using the getuid() function. it will execute the mw_wipe_non_common_lnx_dir() that was discussed earlier and a series of functions to wipe or destroy device files related to the router or modem, then reboot the system. Below is the screenshot of its code. How it checks if the user is admin and wipes files and storage device files related to router or modem.

Below is the table of the function we renamed during our analysis and what device files it tries to destroy or to wipe that are related to either router's flash memory, sd/mmc memory card and block devices .

Wiper Feature

For overwriting or wiping device storage files, it has 2 functions to do it. One is overwriting those device files with a data buffer with a maximum 0x40000 initialized bytes buffer as seen in the screenshot below (left). For “/dev/mtd*”, it will use a series of ioctl commands to erase its data namely MEMUNLOCK, MEMERASE, MEMLOCK and MEMWRITEOOB. The code showing how AcidRain malware does it is shown below too (right).

Below are the screenshots showing our test of how it overwrites or wipes the /dev/mtdblock0 device file during running its payload.

The first one is the strace logs showing how it writes to /dev/mtdblock0 device storage file with its initialized buffer that wipes that files.

The next one is the hex view snippet of some of the device storage files after the execution of the AcidRain malware wiper.

Detections

Below is the detection made for AcidRain malware in a ubuntu linux machine with the use of qemu-mips emulator.

Linux High Frequency Of File Deletion In Etc Folder

This analytic looks for a high frequency of file deletion relative to process name and process id /etc/ folder.
 

| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime 
  FROM datamodel=Endpoint.Filesystem  
  where Filesystem.action=deleted Filesystem.file_path = "/etc/*" 
  by _time span=1h  Filesystem.dest Filesystem.process_guid Filesystem.action 
  | `drop_dm_object_name(Filesystem)` 
  |rename process_guid as proc_guid 
  |join proc_guid, _time [
  | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name != unknown 
  NOT (Processes.parent_process_name IN ("/usr/bin/dpkg", "*usr/bin/python*", "*/usr/bin/apt-*", "/bin/rm", "*splunkd", "/usr/bin/mandb")) 
  by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid 
  | `drop_dm_object_name(Processes)` 
  |rename process_guid as proc_guid 
  | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data registry_key_name action] 
  | table  process_name process proc_guid action _time  deletedFileNames deletedFilePath numOfDelFilePath parent_process_name parent_process  process_path dest user
  | where  numOfDelFilePath >= 200

Linux Deletion Of Cron Jobs

This analytic looks for a deletion of cron jobs in a linux machine. can be related to an attacker, threat actor or malware to disable scheduled cron jobs that might be related to security or  to evade some detections or a good indicator for malware that is trying to wipe or delete several files on the compromised host like the AcidRain malware.

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem  
  where Filesystem.action=deleted Filesystem.file_path ="/etc/cron.*" 
  by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action
  | `drop_dm_object_name(Filesystem)` 
  |rename process_guid as proc_guid 
  |join proc_guid, _time [
  | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name != unknown 
  by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid 
  | `drop_dm_object_name(Processes)` 
  |rename process_guid as proc_guid 
  | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data registry_key_name action] 
  | table  process_name process proc_guid file_name file_path action _time parent_process_name parent_process  process_path dest user

Linux Deletion of Init Daemon Script

This analytic looks for a deletion of init daemon script in a linux machine.daemon script that is placed in /etc/init.d/ is a directory that can start and stop some daemon services in linux machines.This TTP can be also a good indicator of a malware trying to wipe or delete several files like AcidRain malware.

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem  
  where Filesystem.action=deleted Filesystem.file_path IN ( "/etc/init.d/*") 
  by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action
  | `drop_dm_object_name(Filesystem)` 
  |rename process_guid as proc_guid 
  |join proc_guid, _time [
  | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name != unknown 
  by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid 
  | `drop_dm_object_name(Processes)` 
  |rename process_guid as proc_guid 
  | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data registry_key_name action] 
  | table  process_name process proc_guid file_name file_path action _time parent_process_name parent_process  process_path dest user

Linux Deletion of SSL Certificate

This analytic looks for a deletion of ssl certificate in a linux machine. attacker may delete or modify ssl certificate to impair some security features or act as defense evasion in a compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what AcidRain malware does in linux or router machines.

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem  
  where Filesystem.action=deleted Filesystem.file_path = "/etc/ssl/certs/*" Filesystem.file_path IN ("*.pem", "*.crt")
  by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action
  | `drop_dm_object_name(Filesystem)` 
  |rename process_guid as proc_guid 
  |join proc_guid, _time [
  | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name != unknown 
  by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid 
  | `drop_dm_object_name(Processes)` 
  |rename process_guid as proc_guid 
  | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data registry_key_name action] 
  | table  process_name process proc_guid file_name file_path action _time parent_process_name parent_process  process_path dest user 

Linux Deletion of SSH Key

This analytic looks for a deletion of ssh key in a linux machine.This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what AcidRain malware does in linux or router machines.

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem  
  where Filesystem.action=deleted Filesystem.file_path = "/etc/ssh/*" AND Filesystem.file_path = "~/.ssh/*" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action
  | `drop_dm_object_name(Filesystem)` 
  |rename process_guid as proc_guid 
  |join proc_guid, _time [
  | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name != unknown 
  by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid 
  | `drop_dm_object_name(Processes)` 
  |rename process_guid as proc_guid 
  | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data registry_key_name action] 
  | table  process_name process proc_guid file_name file_path action _time parent_process_name parent_process  process_path dest user

Linux Deletion of Services

This analytic looks for the deletion of services in a linux machine, attacker may delete or modify services to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what  AcidRain malware does in linux or router machines.

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem  
  where Filesystem.action=deleted Filesystem.file_path IN ( "/etc/systemd/*", "/usr/lib/systemd/*") Filesystem.file_path = "*.service" 
  by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action
  | `drop_dm_object_name(Filesystem)` 
  |rename process_guid as proc_guid 
  |join proc_guid, _time [
  | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name != unknown 
  by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid 
  | `drop_dm_object_name(Processes)` 
  |rename process_guid as proc_guid 
  | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data registry_key_name action] 
  | table  process_name process proc_guid file_name file_path action _time parent_process_name parent_process  process_path dest user

IOC:

Mitigation

Mitigating these types of payloads can be very difficult. Due to their simplicity and small footprint, many of these devices do not have the ability to implement centralized logging that may allow defenders to detect attacks. In many instances, due to lack of standardization, many of these devices have unpatched vulnerabilities or libraries that are waiting to be exploited by malicious actors. 

Considering that many of these devices may be used by personnel working from home for enterprises or even military, it is necessary to understand that these vulnerabilities expose such perimeters to attack and that if it is not possible to monitor, upgrade or even verify integrity of these devices, the best course of action is to replace them with devices that allow integrity verification and monitoring. 

Discarding these devices may be needed as infection may indeed survive reboot or reset. Even if devices are not affected by this payload, an advanced adversary will find ways of targeting them due to the large amount of resources they can provide once compromised. Please follow the following links for specific information on hardening security. 

• CISA Home Network Security Guide (ST15-002) 
• CISA Securing Network Infrastructure Devices (ST18-001)
• NSA - Protecting VSAT Communications
   

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections available via push update. In the upcoming weeks, the Splunk Threat Research Team will be releasing a more detailed blog post on this analytic story. Stay tuned!

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

We would like to thank the following for their contributions to this post.

• Teoderick Contreras
• Rod Soto
• Jose Hernandez
• Patrick Barreiss
• Lou Stella
• Mauricio Velazco
• Michael Haag
• Bhavin Patel
• Eric McGinnis